[ACCUMULO-3681] Avoid string format injection problems - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.7.0
Component/s: build
Labels:
None

Description

In log4j, we could write log.debug(e,e);, where e was an Exception type, whenever we didn't have a more specific message to put in. Log4j would convert the first parameter to a String.

With the migration to slf4j, this no longer works. Instead, slf4j requires the first parameter to be a format string. So, in many places, we've converted these to something like log.debug(e.toString(),e);.

However, the key point here is that it's not just any string, it's specifically a format string. So, this will be problematic if e.toString() actually contains format instructions like The input "{}" is not a valid table name.

To avoid these kinds of problems, we should take care to replace these with a better option:

log.debug("Some explicit message", e); (preferred)
log.debug("", e);
log.debug("{}", e.getMessage(), e);
log.debug("{}", e.toString(), e);
log.debug("{}", e, e);

Attachments

Issue Links

is related to

ACCUMULO-3652 Remove string concatenation in log statements where slf4j is used.

Resolved

links to

GitHub Pull Request #24

Activity

People

Assignee:: Ed Coleman

Reporter:: Christopher Tubbs

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 18/Mar/15 19:35

Updated:: 03/Jun/16 18:03

Resolved:: 07/Apr/15 20:34

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

20m